Wrapped the Getting Started module on HTB Academy’s Pentester Job Path… and made a mistake that cost me sanity and time :)

The setup#

Started the night with a clear plan: pick up at the Nibbles walkthrough, finish Getting Started, do a couple of Maldev modules, sleep.

Started following the Nibbles walkthrough. Enumerated and tried some potential credentials (that ended up working). Got a foothold through a plugin that had a hole allowing me to upload php (a reverse shell). Then I made a silly mistake. I Ctrl+C’d my terminal but was actually my listener.

Re-upload the image.php, restart the listener, retrigger.

Except it wasn’t that easy.

The wrong rabbit hole#

I spent the next 30 minutes assuming the problem was my exploit.

I started questioning whether or not I had the knowledge to be on my own. Re-read sections of the module, scratched my head and…

The actual problem#

Eventually I ran these four diagnostic commands:

ip a show tun0
ps aux | grep openvpn
sudo ss -tlnp | grep 4444
ping -c 3 <target>

The ps aux told me:

root  33018   pts/3   Apr26   openvpn academy-regular.ovpn
root  163818  pts/0   19:36   openvpn /home/slug/academy-regular.ovpn

Two openvpn processes. One started two days ago, one started thirteen minutes ago. Both authenticated to HTB.

That’s why nothing worked. The two VPN sessions were arguing with each other.

sudo killall openvpn
sleep 5
sudo openvpn ~/academy-regular.ovpn

One VPN process. Every payload I tried for the next half hour worked first try. Keeping track of your tabs seems to be important…

The content of the module#

Worth noting what Getting Started covers:

  • Pentest methodology
  • Service enumeration patterns
  • Basic Linux foothold patterns
  • Privesc via writable scripts
  • Walkthrough boxes (Nibbles, then a Knowledge Check at the end)

The methodology framing is the part that sticks. The specific exploits will be different on every box; the shape of “find a service, identify the version, look for known CVEs, get a foothold, look for sudo / cron / SUID binaries / writable scripts, escalate” stays the same. By the end of the module I could feel the methodology starting to autopilot, which is the whole point.

What’s next#

Network Enumeration with Nmap is the next module! Looking forward to it.

Six days down. The lab is real, the attack box works (now), the methodology is starting to click.